Kaydet (Commit) 0d548873 authored tarafından Antoine Pitrou's avatar Antoine Pitrou

Lax cookie parsing in http.cookies could be a security issue when combined

with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.
......@@ -431,6 +431,7 @@ class Morsel(dict):
_LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
_CookiePattern = re.compile(r"""
(?x) # This is a verbose pattern
\s* # Optional whitespace at start of cookie
(?P<key> # Start of group 'key'
""" + _LegalCharsPatt + r"""+? # Any word of at least one letter
) # End of group 'key'
......@@ -534,7 +535,7 @@ class BaseCookie(dict):
while 0 <= i < n:
# Start looking for a cookie
match = patt.search(str, i)
match = patt.match(str, i)
if not match:
# No more cookies
break
......
......@@ -179,6 +179,15 @@ class CookieTests(unittest.TestCase):
</script>
""")
def test_invalid_cookies(self):
# Accepting these could be a security issue
C = cookies.SimpleCookie()
for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
C.load(s)
self.assertEqual(dict(C), {})
self.assertEqual(C.output(), '')
class MorselTests(unittest.TestCase):
"""Tests for the Morsel object."""
......
......@@ -142,6 +142,7 @@ Martin Bless
Pablo Bleyer
Erik van Blokland
Eric Blossom
Sergey Bobrov
Finn Bock
Paul Boddie
Matthew Boedicker
......
......@@ -132,6 +132,10 @@ Core and Builtins
Library
-------
- Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers. Reported by
Sergey Bobrov.
- Issue #20537: logging methods now accept an exception instance as well as a
Boolean value or exception tuple. Thanks to Yury Selivanov for the patch.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment